Hello, Still working with my dsync pb. I have done a clone (vmware) of my email server. Today I have two strictly identical emails servers (server1 (main) and server2 (bck) (except IP, hostname and mail_replica). The ssl config on my both server: ssl_protocols = !SSLv2 !SSLv3 ssl = required verbose_ssl = no ssl_key = </etc/ssl/private/private.key ssl_cert = </etc/ssl/certs/key.crt ssl_ca = </etc/ssl/certs/GandiStandardSSLCA2.pem This config is working for my email client and my email web interface ... Are they on the right order ? mail_replica = tcps:server1 at domain.ltd and tcps:server2 at domain.ltd There is trafic on my iptables rules on my both servers: 60 3600 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4711 My error message from server1 (main server): Feb 03 08:38:08 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Feb 03 08:42:35 doveadm(user2 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Feb 03 08:42:35 doveadm(user3 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Feb 03 08:42:35 doveadm(user4 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) No logs from server2 Any ideas ? Thx for your support -- Cordialement, Thierry e-mail : lenaigst at maelenn.org PGP Key: 0xB7E3B9CD
Hello, On 02/03/2017 08:51 AM, Thierry wrote:> Hello, > > Still working with my dsync pb. > I have done a clone (vmware) of my email server. > Today I have two strictly identical emails servers (server1 > (main) and server2 (bck) (except IP, hostname and mail_replica). > > The ssl config on my both server: > > ssl_protocols = !SSLv2 !SSLv3 > ssl = required > verbose_ssl = no > ssl_key = </etc/ssl/private/private.key > ssl_cert = </etc/ssl/certs/key.crt > ssl_ca = </etc/ssl/certs/GandiStandardSSLCA2.pemI think it should be ssl_client_ca_file = </etc/ssl/certs/GandiStandardSSLCA2.pem for you.> > This config is working for my email client and my email web > interface ... > > Are they on the right order ? > > mail_replica = tcps:server1 at domain.ltd and tcps:server2 at domain.ltd > > There is trafic on my iptables rules on my both servers: > > 60 3600 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4711 > > > > My error message from server1 (main server): > > Feb 03 08:38:08 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) > Feb 03 08:42:35 doveadm(user2 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) > Feb 03 08:42:35 doveadm(user3 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) > Feb 03 08:42:35 doveadm(user4 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) > > No logs from server2 > > Any ideas ? > > Thx for your support > >
Bonjour Mike, I have made the change from 'ssl_ca =' tp 'ssl_client_ca_file =' but now I do have: Error: sync: Couldn't initialize SSL context: Can't load CA certs from directory : error:02001024:system library:fopen:File name too long thx Le vendredi 3 f?vrier 2017 ? 11:34:43, vous ?criviez :> Hello,> On 02/03/2017 08:51 AM, Thierry wrote: >> Hello, >> >> Still working with my dsync pb. >> I have done a clone (vmware) of my email server. >> Today I have two strictly identical emails servers (server1 >> (main) and server2 (bck) (except IP, hostname and mail_replica). >> >> The ssl config on my both server: >> >> ssl_protocols = !SSLv2 !SSLv3 >> ssl = required >> verbose_ssl = no >> ssl_key = </etc/ssl/private/private.key >> ssl_cert = </etc/ssl/certs/key.crt >> ssl_ca = </etc/ssl/certs/GandiStandardSSLCA2.pem> I think it should be ssl_client_ca_file = > </etc/ssl/certs/GandiStandardSSLCA2.pem for you.>> >> This config is working for my email client and my email web >> interface ... >> >> Are they on the right order ? >> >> mail_replica = tcps:server1 at domain.ltd and tcps:server2 at domain.ltd >> >> There is trafic on my iptables rules on my both servers: >> >> 60 3600 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4711 >> >> >> >> My error message from server1 (main server): >> >> Feb 03 08:38:08 doveadm(user1 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >> Feb 03 08:42:35 doveadm(user2 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >> Feb 03 08:42:35 doveadm(user3 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >> Feb 03 08:42:35 doveadm(user4 at domain.ltd): Error: sync: Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) >> >> No logs from server2 >> >> Any ideas ? >> >> Thx for your support >> >>-- Cordialement, Thierry e-mail : lenaigst at maelenn.org
Hi,
I have made change:
ssl_protocols = !SSLv2 !SSLv3
ssl = required
verbose_ssl = no
ssl_key = </etc/ssl/private/private.key
ssl_cert = </etc/ssl/certs/key.crt
ssl_client_ca_file = </etc/ssl/certs/GandiCA2.pem
# Create a listener for doveadm-server
service doveadm {
user = vmail
inet_listener {
port = 12345
ssl= yes
}
}
and doveadm_port = 12345 // mail_replica = tcps:server2.domain.ltd # use
doveadm_port
And now:
Feb 03 14:11:16 doveadm(user1 at domain.ltd): Error: sync: Couldn't
initialize SSL context: Can't load CA certs from directory :
error:02001024:system library:fopen:File name too long
Feb 03 14:11:17 doveadm: Error: Corrupted SSL parameters file in state_dir:
ssl-parameters.dat - disabling SSL 360
Feb 03 14:11:17 doveadm: Error: Couldn't initialize SSL parameters,
disabling SSL
Thx for your support
Le vendredi 3 f?vrier 2017 ? 11:34:43, vous ?criviez :
> Hello,
> On 02/03/2017 08:51 AM, Thierry wrote:
>> Hello,
>>
>> Still working with my dsync pb.
>> I have done a clone (vmware) of my email server.
>> Today I have two strictly identical emails servers (server1
>> (main) and server2 (bck) (except IP, hostname and mail_replica).
>>
>> The ssl config on my both server:
>>
>> ssl_protocols = !SSLv2 !SSLv3
>> ssl = required
>> verbose_ssl = no
>> ssl_key = </etc/ssl/private/private.key
>> ssl_cert = </etc/ssl/certs/key.crt
>> ssl_ca = </etc/ssl/certs/GandiStandardSSLCA2.pem
> I think it should be ssl_client_ca_file =
> </etc/ssl/certs/GandiStandardSSLCA2.pem for you.
>>
>> This config is working for my email client and my email web
>> interface ...
>>
>> Are they on the right order ?
>>
>> mail_replica = tcps:server1 at domain.ltd and tcps:server2 at
domain.ltd
>>
>> There is trafic on my iptables rules on my both servers:
>>
>> 60 3600 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4711
>>
>>
>>
>> My error message from server1 (main server):
>>
>> Feb 03 08:38:08 doveadm(user1 at domain.ltd): Error: sync: Couldn't
initialize SSL context: Can't verify remote server certs without trusted CAs
(ssl_client_ca_* settings)
>> Feb 03 08:42:35 doveadm(user2 at domain.ltd): Error: sync: Couldn't
initialize SSL context: Can't verify remote server certs without trusted CAs
(ssl_client_ca_* settings)
>> Feb 03 08:42:35 doveadm(user3 at domain.ltd): Error: sync: Couldn't
initialize SSL context: Can't verify remote server certs without trusted CAs
(ssl_client_ca_* settings)
>> Feb 03 08:42:35 doveadm(user4 at domain.ltd): Error: sync: Couldn't
initialize SSL context: Can't verify remote server certs without trusted CAs
(ssl_client_ca_* settings)
>>
>> No logs from server2
>>
>> Any ideas ?
>>
>> Thx for your support
>>
>>
--
Cordialement,
Thierry e-mail : lenaigst at maelenn.org